3 Replies - 5291 Views - Last Post: 26 July 2013 - 08:54 AM Rate Topic: -----

#1 unit998x   User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 7
  • Joined: 25-July 13

MySQL Connection String Security

Posted 25 July 2013 - 01:54 AM

Hello,

I am fairly new to MySQL programming and I have built my application however I have thought that once it is released it is very easy to get the database username and password. While this may not be a major problem as most users will be unaware of .NET decompile should the program be used by the wrong person, the credentials can easily be extracted and be used to alter the database through their own programs.

This is my connection code as seen in VS2010
        If IsNothing(MysqlConn) Then

            MysqlConn = New MySqlConnection()
            MysqlConn.ConnectionString = "server=remote.server.somewhere;" &
                "uid=username;" &
                "pwd=password;" &
                "database=my_database;" &
                "CertificateFile=client.pfx;" &
                "CertificatePassword=PFXPasscode;" &
                "SSL Mode=Required"

            Try
                MysqlConn.Open()
                'MessageBox.Show("Connection to database was opened!")
                'MysqlConn.Close()
            Catch ex As MySqlException
                MessageBox.Show("Cannot connect to OSM: " & ex.Message, "Database Error", MessageBoxButtons.OK, MessageBoxIcon.Error)
                MysqlConn.Dispose()
                Exit Sub
            End Try
        End If



And this is the result I get using reflector.

        If Information.IsNothing(Me.MysqlConn) Then
            Me.MysqlConn = New MySqlConnection
            Me.MysqlConn.ConnectionString = "server=remote.server.somewhere;uid=username;pwd=password;database=my_database;CertificateFile=client.pfx;CertificatePassword=PFXPasscode;SSL Mode=Required"
            Try 
                Me.MysqlConn.Open
            Catch exception1 As MySqlException
                ProjectData.SetProjectError(exception1)
                Dim ex As MySqlException = exception1
                MessageBox.Show(("Cannot connect to OSM: " & ex.Message), "Database Error", MessageBoxButtons.OK, MessageBoxIcon.Hand)
                Me.MysqlConn.Dispose
                ProjectData.ClearProjectError
                Return
                ProjectData.ClearProjectError
            End Try
        End If



There must be a better way of using the connection string, I thought maybe a PHP page could authenticate the users, then send them the MySQL password but this seems insecure? Could someone offer a better suggestion.

Is This A Good Question/Topic? 0
  • +

Replies To: MySQL Connection String Security

#2 deery5000   User is offline

  • D.I.C Lover

Reputation: 87
  • View blog
  • Posts: 1,097
  • Joined: 09-May 09

Re: MySQL Connection String Security

Posted 25 July 2013 - 06:10 AM

Can you use a strongly named .dll and register this into the GAC, most people never look in the assembly :)/>


Oh and what is your app out of curiosity ?

Pics etc?

This post has been edited by deery5000: 25 July 2013 - 06:12 AM

Was This Post Helpful? 1
  • +
  • -

#3 torind_2000   User is offline

  • D.I.C Regular

Reputation: 57
  • View blog
  • Posts: 293
  • Joined: 22-August 11

Re: MySQL Connection String Security

Posted 25 July 2013 - 10:02 AM

This link is a post from DIC member CharlieMay that might be relevant to what you are asking.
Was This Post Helpful? 0
  • +
  • -

#4 unit998x   User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 7
  • Joined: 25-July 13

Re: MySQL Connection String Security

Posted 26 July 2013 - 08:54 AM

@torind_2000
I am already using parameterized queries, but thanks for the link though.

@deery5000
The app is for managing a scout group, there are many existing services but they are paid and I fancied the challenge of making my own (I haven't done much DB programming before) The UI is very similar to an existing service, but it's only really for my group so it doesn't matter.

Screens (all details are false):

http://statusracingt...images/img1.png
http://statusracingt...images/img2.png
http://statusracingt...images/img3.png
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1